Using PowerShell to Combat CryptoLocker

On the Varonis blog, we recently wrote about how CryptoLocker—the malware that encrypts your local files and holds them for a Bitcoin ransom—has better marketing than many companies. However, we...
Michael Buckbee
3 min read
Last updated October 14, 2022

On the Varonis blog, we recently wrote about how CryptoLocker—the malware that encrypts your local files and holds them for a Bitcoin ransom—has better marketing than many companies. However, we thought it would be helpful to also offer some tactical advice for dealing with CryptoLocker using our sysadmin tool of choice: PowerShell.

What follows are the best scripts we’ve found for preventing, detecting, identifying, and remediating a CryptoLocker infection with PowerShell.

Get the Free PowerShell and Active Directory Essentials Video Course

Prevention

One of the few proven ways of stopping CryptoLocker from gaining a foothold on a network (or even a single computer) is the use of the AppLocker utility (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application.

CryptoLocker is usually spread via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.

Microsoft has made this easier for you to roll out with its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process:

http://technet.microsoft.com/en-us/library/hh994594.aspx

Detection

HoneyPots

A common means of testing for CryptoLocker and other malware is to use a Honeypot file. A file of the appropriate type (for CryptoLocker this would be primarily Microsoft Office documents and photos) is placed in an accessible location on the network and, if modified, alerts the system administrators that unauthorized access has occurred.  Importantly, the filename or directory should try to signify to human users that they shouldn’t touch it.  More on this here:

http://www.reddit.com/r/sysadmin/comments/1qf7yi/cryptolocker_using_powershell_as_a_tripwire/

Varonis

Varonis customers have had success detecting and reacting to CryptoLocker infections using DatAdvantage and DatAlert.  The former captures a continuous log of your network file system, intranet, and email activity and the latter allows you to generate real-time alerts when CryptoLocker behavior is observed—you could use a threshold (e.g., modified more than 100 files in a minute) or a honeypot.  You can even make your alert kick-off a PowerShell script that disables the offending user account.

Identification

Find-PCBCrypto

A PowerShell function to aid in finding CryptoLocker encrypted files. This PS script works by comparing the NTFS Master File Table modification time to that of the local file’s timestamps. Differences between these two values indicate possible unauthorized file encryption, though the author warns that false positives will most likely be found, so proceed with caution.

http://poshcodebear.com/blog/2014/5/2/function-to-aid-in-finding-cryptolocker-encrypted-files

CryptoLocker / OU Scan Reporter

This script queries hosts on a network OU and scans each for potential CryptoLocker activity.  The results are then written back to an Excel file. The script relies upon being able to access the Windows Remote Registry Service to search for the known values that CryptoLocker writes to an infected system.

https://gallery.technet.microsoft.com/scriptcenter/Cryptolocker-report-8155ac6b

Dump Local Encrypted Files List from the Registry

The following PowerShell one-liner function will export a list of files that the local CryptoLocker infection has encrypted. Differing versions of CryptoLocker in the wild appear to modify this registry location, so this will likely not work with all variants that might be encountered.

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding unicode

Remediation

Due to the manner in which CryptoLocker encrypts files, it is generally considered impossible to recover them without access to the underlying cryptographic keys used by the attackers. Fortunately, through the efforts of some security firms, it is now possible to recover the key used for encrypting the files and then to unlock them for a full recovery.

The website https://decryptcryptolocker.com/ will let you upload an infected file and then will email you the associated key. The key, together with the recovery program from the site will let you unlock your files.

Decryptolocker.exe –key “<key>” <Lockedfile.doc>

Depending on how you built your list of encrypted files, this process can be further automated with PowerShell’s foreach command.

http://blogs.technet.com/b/heyscriptingguy/archive/2014/04/28/basics-of-powershell-looping-foreach.aspx

Conclusion

The mass wave of CryptoLocker infections has prompted many to create free tools and scripts to help you combat infections. However, given the economic success enjoyed by the CryptoLocker’s authors it is only a matter of time before the next devastating round of ransomware is unleashed.  To minimize the threat, we suggest you go back to our 4 As: authentication, authorization, auditing, and alerting.

Further, learning more practical, security focused PowerShell will help you protect your network regardless of the source of the threat. You can unlock the full 3 hour video course on PowerShell and Active Directory Essentials with the code cmdlet.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-difference-between-a-computer-virus-and-computer-worm
The Difference between a Computer Virus and Computer Worm
Viruses and worms are often used interchangeably: there are a few key differences in how they work. Both viruses and worms are a type of malware: a worm is a...
what-is-a-rootkit?-how-can-you-detect-it?
What is a Rootkit? How Can You Detect it?
Think there might be a chance you caught a rootkit virus? Learn more about these toolboxes of the malware world and just how to detect them with our guide. 
anatomy-of-a-solidbit-ransomware-attack
Anatomy of a SolidBit Ransomware Attack
Solidbit is a ransomware variant derived from Yashma and containing elements of LockBit. Discover how Solidbit's capabilities, execution, what file types it targets, and how to tell if you're been infected.
cryptolocker:-everything-you-need-to-know
CryptoLocker: Everything You Need to Know
CryptoLocker is a type of malware that encrypts files, holding them for ransom. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”